As digital crime evolves, cyber insurance could be part of the solution. We explore how it can protect banks against financial losses and provide resources in the event of a cyber attack.
By Beth Mattson-Teig
Big organizations like Microsoft, Colonial Pipeline and the Red Cross have notably been hit by cybercrime, but in this case, smaller doesn’t necessarily mean safer.
“A lot of people have this notion that it will never happen to my business or my bank, because it’s too small,” says Linda Comerford, assistant vice president of incident response and cyber services at AmTrust Financial Services Inc. “That has been the exact opposite of my experience. You actually see more instances of issues with the smaller businesses. AmTrust recently worked with one community bank client that was the target of a ransomware attack that shut down its branches for two weeks. The bank was only able to get fully up and running after it paid a negotiated ransom.”
Cybercrime is becoming more sophisticated, with bad actors aiming to profit from data theft, malware and ransomware attacks. They typically look around at financial systems to see how much revenue and assets a bank has to pay a ransom, but any bank with exposure to the internet faces some level of cyber risk, even from something as simple as an employee clicking on the wrong link in an email.
“The cybercrime world is evolving rapidly, and what the bad actors are looking for in a target is not necessarily size or a big name,” says Jared Gentile, assistant vice president, bond and specialty insurance at Travelers. “They are looking for vulnerabilities that they know how to exploit.”
Insuring against cyber risks
One line of defense is cyber insurance. “Cyber insurance today is what property insurance was 50 years ago,” notes Gregory Montana, chief risk officer at FIS. Cyber insurance not only provides financial reimbursement for losses; it also equips the insured with access to a list of preapproved incident response experts that are required to help the bank manage a cyber event.
Cyber insurance products vary depending on the carrier and how an individual policy is structured, but most companies offer first-party coverage and third-party liability coverage. In the case of a cyber event, first-party coverage often pays for costs such as forensics and analytics to understand the scope of a breach, attorney fees to manage legal exposures, notifications for employees and customers, ransom payments, data restoration and business interruption costs. Liability policies respond to lawsuits or any regulatory action and fines that result from a cyber event.
Cyber events typically are not covered in general liability insurance policies. It’s important for banks to understand what is and isn’t covered under their individual policies. For example, some might exclude the payment in a ransomware attack.
“Not every policy is going to be the same. They really suit the needs of the business,” says Comerford. Banks can choose to add options to a standard cyber insurance package, such as coverage for reputational damage or public relations costs related to a breach. “The worst thing that can happen is you think you have coverage for something, but it is not actually included in the policy you purchased,” Comerford adds.
The price of cyber insurance premiums varies depending on a bank’s credit risk, coverage and policy limits that might range from $1 million to hundreds of millions of dollars in aggregate limits. “Banks should work with their agent or broker to determine what the best level of coverage is for them,” says Gentile.
Resources provide added value
Insurance providers and carriers can also serve as a significant resource in providing information and helping banks respond quickly to a breach.
“One of the biggest benefits of a cyber policy, especially for a smaller community bank, is access to experts,” says Gentile. When a bank has an event, they can pick up the phone and contact the legal counsel or “breach coaches” that essentially quarterback the response to mitigating or responding to whatever has happened. It is the breach coach that engages forensics, legal and notification services that helps to mitigate damage.
“The biggest benefit to a bank is knowing that those resources are available and ready if they need them, and having an insurance company that can also foot the bill for that is important,” he says.
In addition, insurance carriers can help banks take proactive steps to shore up defenses against cyber threats. Steps such as multi-factor authentication have proven to be highly effective and are viewed as minimum security features for banks seeking cyber insurance. Some insurance carriers even offer discounts for banks that have additional layers of security, such as multi-factor authentication or end-point detection and remediation.
A downside of cyber insurance is that the claims cycle is often lengthy and complex, taking many months, and sometimes several years, to completely resolve. This not only delays reimbursement for losses, but can also be a drain on internal resources, notes Montana.
Another challenge for banks is that every cyber insurance policy is not created equally. “Coverage terms can be added and subtracted through a complex web of endorsements that can leave the insured feeling frustrated at the end of the claims process,” he says.
Yet insurance can be an important wall of defense against cyber risks—a good advocate in helping the bank mitigate exposure to cyber risk. “It’s really important to know that cyber insurers are a partner,” says Comerford. “We want to help you before you have an incident, and we are here to help you when you do have an incident to hold your hand through the process.”
Regulators paying closer attention to cyber risks
The banking industry could face greater regulatory scrutiny and pressure ahead on how they’re managing cyber risks.
Federal regulatory groups are drawing more attention to how cyber insurance is a critical part of broader risk management strategies. “Bank regulators have become keenly aware of how a cyber event could impact the financial stability of a bank, bank customers and also bank employees,” says Jared Gentile, assistant vice president, bond and specialty insurance at Travelers.
In November 2021, the FDIC, OCC and the Board of Governors of the Federal Reserve System approved a new rule requiring banking organizations to notify regulators of “any significant computer-security incident” as soon as possible and no later than 36 hours after a determination that such an incident occurred.
The FDIC and the OCC also issued an interagency statement on heightened cybersecurity risk that focuses on ways banks can reduce the risk of a cyber attack and minimize business disruptions. Some of the highlights for sound risk management for cybersecurity include:
- Response and resilience capabilities: Review, update and test incident response and business continuity plans
- Authentication: Protect against unauthorized access
- System configuration: Securely configure systems and services
Beth Mattson-Teig is a writer in Minnesota.